Australian Information Security Management Conference
Document Type
Conference Proceeding
Publisher
Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia
Abstract
During a denial of service attack, it is difficult for a firewall to differentiate legitimate packets from rogue packets, particularly in large networks carrying substantial levels of traffic. Large networks commonly use network intrusion detection systems to identify such attacks, however new viruses and worms can escape detection until their signatures are known and classified as an attack. Commonly used IDS are rule based and static, and produce a high number of false positive alerts. The aim of this research was to determine if it is possible for a firewall to analyse its own traffic patterns to identify attempted denial of service. Statistical analyses of firewall logs for a large network were carried out and a baseline determined. Estimated traffic levels were projected using linear regression and Holt-Winter methods for comparison with the baseline. The research proposes a Neural Network model for forecasting rejected traffic falling outside the projected level for the network under study that could indicate an attack. The results of the research were positive with variance from the projected rejected packet levels successfully indicating an attack in the test network.
DOI
10.4225/75/57b56484b8771
Comments
6th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia, 1st to 3rd December 2006.